The OGO Blog

How Do I Prepare For An Audit of My DR/BCP Plan?

dr for credit unions, disaster recovery tabletop exercises

If you have either a CPA, NCUA, FDIC, or OTS audit coming up and you would like to review your plan to make sure it will meet the general requirements, this post is for you.

The Basics

  • The basics in preparing for an audit or examination should include:
  • Is there anything from the last report we still need to complete/update?
  • Review industry discussion forums for the latest areas of focus by auditors/examiners.
  • UPDATE the PLAN! Make sure every part of your plan documentation is up to date, especially the BIA.
  • Train staff. They should be aware of your DR/BCP and prepared to demonstrate at least a minimal knowledge and understanding.
  • Test – have written confirmation of your last test and key details of what worked and didn’t work. Have planned actions and remediation steps for the stuff that didn’t work.

The Full Checklist

If you would like a much more detailed checklist based on the FFIEC examination guidelines – here you go!

The goal of the Business Continuity Plan (BCP):

  • Minimize financial losses to the institution
  • Serve customers and financial markets with minimal disruptions
  • Mitigate the negative effects of disruptions on business operations

Board and Senior Management are responsible for:

  • Overseeing the BCP process
  • Establishing policy by determining how the institution will manage and control identified risks
  • Allocating knowledgeable personnel and sufficient financial resources to implement the BCP
  • Ensuring that the BCP is independently reviewed and approved at least annually
  • Ensuring employees are trained and aware of their roles in the implementation of the BCP
  • Ensuring the BCP is regularly tested on an enterprise-wide basis
  • Reviewing the BCP testing program and test results on a regular basis
  • Ensuring the BCP is continually updated to reflect the current operating environment

The financial institution’s BC planning process should reflect the following objectives:

  • The BCP process should include the recovery, resumption, and maintenance of all aspects of the business, not just recovery of the technology components’
  • BC planning involves the development of an enterprise-wide BCP and the prioritization of business objectives and critical operations that are essential for recovery
  • BC planning includes the integration of the institution’s role in financial markets
  • BC planning should include regular updates to the BCP based on changes in business processes, audit recommendations, and lessons learned from testing
  • BC planning represents a cyclical, process-oriented approach that includes a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing

The BIA is the first step in the BC planning process and should include:

  • Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis
  • Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution’s business functions and processes
  • Identification of the legal and regulatory requirements for the institution’s business functions and processes
  • Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution’s business functions and processes
  • Estimation of recovery time objectives (RTOs), recovery point objectives (RPOs), and recovery of the critical path (see PMI project management standards.)

The risk assessment is the second step in the business continuity planning process. It should include:

  • Evaluating the BIA assumptions using various threat scenarios
  • Analyzing threats based upon the impact to the institution, its customers, and the financial market it serves
  • Prioritizing potential business disruptions based upon their severity, which is determined by their impact on operations and the probability of occurrence
  • Performing a “gap analysis” that compares the existing BCP to the policies and procedures that should be implemented based on prioritized disruptions identified and their resulting impact on the institution

Risk Management represents the third step in the Business Continuity
blankPlanning Process. It is defined as the process of identifying, assessing, and reducing risk to an acceptable level through development, implementation, and maintenance of a written, enterprise-wide BCP. The BCP should be:

  • Based on a comprehensive BIA and risk assessment
  • Documented in a written program
  • Reviewed and approved by the Board and Senior Management at least annually
  • Disseminated to financial institution employees
  • Properly managed when the maintenance and development of the BCP is outsourced to a third-party
  • Specific regarding what conditions should prompt implementation of the plan and the process for invoking the BCP
  • Specific regarding what immediate steps should be taken during a disruption
  • Flexible to respond to unanticipated threat scenarios and changing internal conditions
  • Focused on the impact of various threats that could potentially disrupt operations rather than on specific events
  • Developed based on valid assumptions and an analysis of interdependencies

Final Steps

In addition to the specific steps from the FFIEC handbook – OGO recommends the following items based on our experience.

  • Emergency medical policy and procedures (triage and first responder liaison)
  • Evacuation (primary, alternate, shelter-in-place)
  • Crisis activation, Crisis Management, and the decision process (Management succession, activation policy/procedures, CMT/EOC activation, staff/board/vendor/vital contact list)
  • Special Recovery or Continuity Teams (RIT, Facilities, Network, Core, MIS)
  • Specific external threats (earthquake, hackers, spam, phishing, pharming, robbery, bomb, pandemic, kidnap, extortion, riot/looting, economic, flood)
  • Specific internal threats (fire, loss of staff, disgruntled employee, workplace violence, theft/embezzlement, data compromise, espionage, single-points-of-failure)
  • Departmental Continuity Plans and supporting documents
  • Supplemental (vital records, contracts, supplies, exercise history, BCP distribution, life-cycle, and board approval)


Credit Union Compliance and Credit Union Risk Management

Are you concerned about how to establish and maintain a robust Business Continuity Program? Do you worry about how to engage staff in the process and hold them accountable? If you have these or other questions, please contact us below: